On the Construction of Lightweight Circulant Involutory MDS Matrices

Transcription

1 On the Construction of Lightweight Circulant Involutory MDS Matrices Yongqiang Li a,b, Mingsheng Wang a a. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China b. Science and Technology on Communication Security Laboratory, Chengdu, China yongq.lee@gmail.com wangmingsheng@iie.ac.cn Abstract. In the present paper, we investigate the problem of constructing MDS matrices with as few bit XOR operations as possible. The key contribution of the present paper is constructing MDS matrices with entries in the set of m m non-singular matrices over F 2 directly, and the linear transformations we used to construct MDS matrices are not assumed pairwise commutative. With this method, it is shown that circulant involutory MDS matrices, which have been proved do not exist over the finite field F 2 m, can be constructed by using non-commutative entries. Some constructions of 4 4 and 5 5 circulant involutory MDS matrices are given when m = 4, 8. To the best of our knowledge, it is the first time that circulant involutory MDS matrices have been constructed. Furthermore, some lower bounds on XORs that required to evaluate one row of circulant and Hadamard MDS matrices of order 4 are given when m = 4, 8. Some constructions achieving the bound are also given, which have fewer XORs than previous constructions. Keywords: MDS matrix, circulant involutory matrix, Hadamard matrix, lightweight 1 Introduction Linear diffusion layer is an important component of symmetric cryptography which provides internal dependency for symmetric cryptography algorithms. The performance of a diffusion layer is measured by branch number. Using a diffusion layer with bigger branch number in cryptography provides better resistance to differential and linear attack. As for lightweight cryptography, which is aiming to provide security in a limited resource environment, the cost of implementing an linear diffusion layer is also of importance. With the rapid development of lightweight cryptography, it is of particular interest to investigate the problem of constructing lightweight linear diffusion with bigger branch number. c IACR This paper is an extended version in FSE More examples of circulant involutory MDS matrices are given in the appendix.

2 A linear diffusion layer is a linear transformation over (F m 2 ) n, where m is the bit length of an S-box and n is the number of S-boxes that the linear diffusion layer acts on. Note that every linear transformation can be represented by a matrix, then a linear diffusion layer is often represented by a n n matrix and the entries can be viewed as linear transformations over F m 2. The maximum branch number of a n n matrix over (F m 2 ) n is n + 1. A linear diffusion layer with maximum branch number is called a perfect diffusion layers or a Maximal Distance Separable (MDS) matrix. An MDS matrix is a linear multipermutation [21]. A common way to construct MDS matrices is using MDS codes over finite fields. Multiplication with elements in finite fields is a basic operation in the evaluation of a matrix over finite fields. Usually, this operation is heavy in implementation. To improve its implementation efficiency, it is often constructing a matrix with fewer different elements of finite fields and choosing elements of finite fields with lower Hamming weight. Therefore, some matrices can be defined by fewer elements are preferred, such as circulant matrix and Hadamard matrix. The diffusion layer of AES is an typical example of this construction method. It is a 4 4 circulant MDS matrix over F 2 8. Another main method to construct lightweight MDS matrices is recursive construction. The main idea is that firstly constructing a linear transformation which is sparse and compact in implementation, and then composing it several times to get an MDS matrix. This method is first used in the design of Photon lightweight hash family [10] and LED lightweight block cipher [9], and then attracted lots of attentions. The method is extended by using linear transformations instead of multiplications of elements in finite fields in [19]. Then the work is improved by using linear transformations with fewer XORs in [22], where some extreme lightweight MDS matrices are given. A method is given to get rid of expensive symbolic computations of the above method for constructing larger recursive MDS matrices in [1]. The method is also further investigated in [12]. The construction of recursive MDS matrices also has a relation with coding theory. It is shown that recursive MDS matrices can be constructed from Gabidulin codes [4], and also can be obtained directly from shortened MDS cyclic codes [2]. However, a recursive MDS matrix may leads to high latency since it has to run several rounds to get outputs. Then how to construct lightweight MDS matrices without using recursive construction is an interesting problem needs further study. Some works revisit the method of constructing MDS matrices over finite fields by choosing elements whose multiplication s implementation efficiency can be further improved. Recently, it is shown that the choice of the irreducible polynomial used to compute multiplication with elements over finite fields has a great influence of the efficiency [18]. This property is further investigated in [20], where algorithms are designed to search lightweight MDS matrices with few XORs that required to evaluate one row of the corresponding matrix. Several constructions and their comparisons with previous constructions are also given in [20].

3 Our Contributions. In the present paper, we investigate the problem of constructing MDS matrices with as few bit XOR operations as possible. Note that multiplication with elements of the finite field F 2 m is only a special type of linear transformations over F m 2. Moreover, there exist many other linear transformations over F m 2 which can not be represented by multiplication with elements over F 2 m. Therefore, constructing matrices over the space of linear transformations over F m 2 may leads to new constructions of lightweight MDS matrices. In previous constructions, the entries used to construct MDS matrices are pairwise commutative, such as MDS matrices over finite fields, or assumed pairwise commutative, such as recursive MDS matrices with elements being linear transformations [19,22]. Note that a matrix over a commutative ring is nonsingular if and only if its determinant is a unity in the ring, then the assumption is convenient for charactering MDS matrices since the determinants of square sub-matrices can be computed. However, the restriction of choosing commutative linear transformations may lose MDS matrices with fewer XORs. Then we do not assume the linear transformations over F m 2 that used to construct MDS matrices are pairwise commutative in the present paper. The strategy we used to determine whether a construction is MDS is computing all its square sub-matrices rank. Then it is too complex to construct MDS matrices with larger order. In symmetric cryptography algorithms, the most often used S-boxes are 4-bit and 8-bit S-boxes, and it is often use diffusion layers of order 4. Therefore, we focus on constructing 4 4 MDS matrices with entries in the space of linear transformations over F 4 2 and F 8 2 in the present paper. The first result is that circulant involutory MDS matrices can be constructed with our method. Circulant involutory MDS matrices can be implemented efficiently and the same circuit can be used both in encryption and decryption. However, it has been proved in [15,13] that there do not exist circulant involutory MDS matrices over the finite field F 2 m. In fact, the proof is only valid when the entries of the matrix are pairwise commute. This property is satisfied by previous construction methods but not our method. We show that there exist circulant involutory MDS matrices over the space of linear transformations over F m 2. Some constructions are also given. To the best of our knowledge, it is the first time that circulant involutory MDS matrices have been constructed. For 4 4 circulant involutory MDS matrices constructed in the present paper, the fewest sum of XORs of one row s entries is m+1, m = 4, 8. Moreover, we also construct 4 4 orthogonal circulant MDS matrix, which is also proved do not exist over finite fields [13]. Lower bounds on XORs that required to evaluate one row of circulant (noninvolution) MDS matrices, involutory Hadamard MDS matrices and Hadamard (noninvolution) MDS matrices are also investigated. We show that for circulant MDS matrices with the first row s entries are [I, I, A, B], the fewest sum of XORs of A and B is 3. For involutory Hadamard MDS matrices, the fewest sum (the fewest sum we get) of the XORs of entries in the first row is m + 2 for m = 4 (m = 8). For Hadamard MDS matrices, the fewest sum of XORs of one row s

4 entries is 4 for m = 4 and the fewest sum we get of XORs of one row s entries is 5 for m = 8. Lower bounds on the entries of optimal 4 4 MDS matrices is also characterized. Outline of This Paper. The present paper is organized as follows. In Sect. 2, we give some preliminaries. A general bound on XORs that required to evaluate one row of circulant and Hadamard MDS matrices is also given. In Sect. 3, we investigate the construction of lightweight involutory, non-involutory and orthogonal circulant MDS matrices. In Sect. 4, we investigate the construction of lightweight involutory and non-involutory Hadamard MDS matrices. Comparisons with previous constructions are given at the end of the section. In Sect. 5, we investigate the construction of lightweight optimal 4 4 MDS matrices. A short conclusion is given in Sect Preliminaries and a general bound A map A : F m 2 F m 2 is called linear if A(x + y) = A(x) + A(y) for x, y F m 2. Fixed a basis of F m 2 over F 2, a linear map over F m 2 can be represented by an m m matrix over F 2, which is also denoted by A. Then A(x) = A x, where x = (x 1,..., x m ) F m 2 is viewed as a column vector throughout this paper. A linear map is a permutation over F m 2 if and only if its matrix representation is non-singular. The notation GL(m, S) denotes the set of all m m non-singular matrices with entries in S. For a, b F 2, a + b is called the bit XOR operation. For A GL(m, F 2 ), #A denotes the number of XOR operations that required to evaluate A x directly, where x F m 2, and we call A has #A XOR operations. It is easy to see that #A equals the number of XORs in A(x) and hence #A = m (ω(a[i]) 1), i=1 where ω(a[i]) means the number of nonzero entries in the i-th row of A. For A GL(m, F 2 ), a simplified representation of A is given by extracting the nonzero positions in each row of A. For example, [2, 3, 4, [1,4]] is the representation of the following matrix , and it is a matrix with 1 XOR operation. Every linear diffusion can be represented by a matrix as follows L 1,1 L 1,2 L 1,n L 2,1 L 2,2 L 2,n L =..., L n,1 L n,2 L n,n

5 where L i,j is an m m matrix over F 2 for 1 i, j n. For X = (x 1,..., x n ) (F m 2 ) n, n n L(X) = ( L 1,i (x i ),..., L n,i (x i )), i=1 where L i,j (x k ) = L i,j x k, for 1 i, j n, 1 k m. A linear diffusion L defined as above is called involutory if L L(X) = X for all X (F m 2 ) n, which is equivalent to that L 2 is the identity matrix of order mn. For X = (x 1,..., x n ) (F m 2 ) n, the bundle weight of X, which is denoted by ω b (X), is defined as the number of nonzero entries of X. This means The branch number of L is defined as i=1 ω b (X) = {x i : x i 0, 1 i n}. min{ω b (X) + ω b (L(X)) X (F m 2 ) n, X 0}. The upper bound on the branch number of L is n + 1, and a matrix achieved the bound is called an MDS matrix. Square sub-matrices of L of order t means the following matrices L(J, K) = (L jl,k p, 1 l, p t) where J = [j 1,..., j t ] and K = [k 1,..., k t ] are two sequence of length t, and 1 j 1 <... < j t n, 1 k 1,..., k t n. Note that L(J, K) (x 1,..., x t ) = 0 does not have nonzero solutions if and only if L(J, K) is of full rank. Then the following result holds, which is proved in [5]. Theorem 1. Let L = (L i,j ), 1 i, j n, and the entries of L are m m matrices over F 2. Then L is an MDS matrix if and only if all square sub-matrices of L of order t are of full rank for 1 t n. According to Theorem 1, the computation would be complicated when n is large. Then in the present paper we focus on 4 4 matrices, which are widely used in cryptography. More precisely, we construct lightweight MDS matrices using circulant matrix and Hadamard matrix. Both of them can be defined by the first row s entries and hence can be implemented efficiently. 2.1 A general bound In this subsection, we give a general bound of XORs on circulant and Hadamard MDS matrices. A matrix is called circulant if each row is rotated to the right of the preceding row by one entry. Then for a 4 4 circulant matrix, we means A B C D Circ(A, B, C, D) = D A B C C D A B, B C D A

6 where A, B, C, D GL(m, F 2 ). A 2 k 2 k matrix H is called a Hadamard matrix if it can be represented as ( ) H1, H 2, H 2, H 1 where H 1, H 2 are two 2 k 1 2 k 1 Hadamard matrices. Then for a 4 4 Hadamard matrix, we means A, B, C, D Had(A, B, C, D) = B, A, D, C C, D, A, B, D, C, B, A where A, B, C, D GL(m, F 2 ). Remember that our aim is constructing MDS matrices with as few XOR operations as possible. Then we prefer linear transformations with no XORs. However, the following results limits the amounts of such linear transformations used in our constructions. ( ) L1, L Lemma 1. Let L = 2, L L 3, L i GL(m, F 2 ), 1 i 4. If rank(l) = 2m, 4 then 4 i=1 #L i 1. Proof. Assume #L i = 0, 1 i 4. Then for 1 i 4, each row and each column of L i has exactly one entry equals 1 since L i are non-singular. This m means every entry of L i [j] equals to 1. Therefore, every entry of 2m L[i] j=1 equals to 0, which means rank(l) < 2m and we complete the proof. Then we have the following result. Theorem Let L = Circ(A, B, C, D) be a circulant MDS matrix, where A, B, C, D GL(m, F 2 ). Then #A + #B + #C + #D Let L = Had(A, B, C, D) be a Hadamard MDS matrix, where A, B, C, D GL(m, F 2 ). Then #A + #B + #C + #D 3. Proof. Let L = Circ(A, B, C, D) be a circulant MDS matrix. Assume #A + #B + #C + #D 1. Then there are at least 3 entries with 0 XORs in the first row. Without loss of generality, we suppose #A = #B = #C = 0. Then according to Lemma 1, it holds ( ) B, C rank(l([1, 2], [2, 3])) = rank( ) < 2m. A, B This is a contradiction since L is an MDS matrix. The other cases can be proved similarly. i=1

7 Let L = Had(A, B, C, D) be a Hadamard MDS matrix. Assume #A + #B + #C + #D 2. Then there are at least 2 entries with 0 XORs in the first row. Without loss of generality, we suppose #A = #C = 0. Then according to Lemma 1, it holds ( ) A, C rank(l([1, 3], [1, 3])) = rank( ) < 2m. C, A This is a contradiction since L is an MDS matrix. The other cases can be proved similarly. The above result means that there are at most two entries with no XORs in one row of a circulant MDS matrix, and there are at most one entry with no XORs in one row of a Hadamard MDS matrix. We suppose L[1, 1] = I in our constructions, where I denotes the identity matrix throughout this paper. 3 Lightweight circulant MDS matrices In this section, we investigate the construction of lightweight circulant involutory, non-involutory and orthogonal MDS matrices respectively. 3.1 Constructing circulant involutory MDS matrices First, we have the following result. Lemma 2. Let L = Circ(I, A, B, C) be a circulant matrix, where A, B, C GL(m, F 2 ). Then L is an involution if and only if the following equalities hold: AB = BA, BC = CB, A 2 = C 2, AC + CA = B 2. Proof. By matrix multiplication, it can be checked that L 2 = Circ(I, A, B, C) Circ(I, A, B, C) = Circ(I + AC + CA + B 2, BC + CB, A 2 + C 2, AB + BA). On the other hand, L is an involution if and only if L 2 = Circ(I, 0, 0, 0). Therefore, L is an involution if and only if AB = BA, BC = CB, A 2 = C 2, AC + CA = B 2 hold simultaneously. We give a general construction of circulant involutory matrix in the following result. For A GL(m, F 2 ), the multiplication order of A is defined as the minimum positive integer d such that A d = I.

8 Lemma 3. Suppose A, C GL(m, F 2 ) with A 2 = C 2 = I, and the multiplication order of A+C equals 4k 2 for some integer k with k > 1. Let B = (A+C) 2k. Then the matrix Circ(I, A, B, C) is an involution. Proof. Let B = (A + C) 2k. Note that A 2 = C 2 = I, then according to Lemma 2, we only need to prove that A, B, C satisfy the following equalities First, it is easy to see that Then we have Therefore, Similarly, it can be checked that AB = BA, BC = CB, AC + CA = B 2. (A + C) 2 = A 2 + AC + CA + C 2 = AC + CA. B = (A + C) 2k = (AC + CA) k. AB = A(AC + CA) k = A(AC + CA)(AC + CA) k 1 = (A 2 C + ACA)(AC + CA) k 1 = (CA 2 + ACA)(AC + CA) k 1 = (CA + AC)A(AC + CA) k 1 = = (AC + CA) k A = BA. BC = CB. Note that (A + C) 4k 2 = I, then we have B 2 = (A + C) 4k = (A + C) 2 = AC + CA. According to Lemma 2, we have Circ(I, A, (A + C) 2k, C) is an involution. Remark 1. If k = 1, then the multiplication order of A+C equals 2 and B = (A+ C) 2 = I. In this case, L = Circ(I, A, I, C) constructed as above is also a circulant involution. However, it is not an MDS matrix since rank(l([1, 3], [1, 3])) < 2m. Then we always suppose k > 1 since we want to construct circulant involutory MDS matrices. Using above results, our searching strategy is as follows. Firstly, we get the set S which contains all involutory matrix from the set which we want to search. Then for each pair of (A, C) S S, we compute the multiplication order

9 d of A + C. If d mod 4 = 2, then let B = (A + C) d 2 +1, and test whether Circ(I, A, B, C) is MDS by Theorem 1. When m = 4, we search A, C over GL(4, F 2 ). There exist A, C such that Circ(I, A, B, C) is MDS. The fewest sum of XORs of one rows entries of an MDS involutory Circ(I, A, B, C) constructed as above is 5. There are 48 pairs of A, C with this property. When m = 8, we search A, C over all 8 8 non-singular matrices over F 2 with less than or equal to 3 bit XOR operations. The fewest sum of XORs of one rows entries of an MDS Circ(I, A, B, C) constructed as above is 9. There are pairs of A, C satisfy this property. For all these pairs of A, C, Circ(I, C, B, A) are also circulant involutory MDS matrices. Theorem 3. Their exist A, B, C GL(m, F 2 ), m = 4, 8, such that Circ(I, A, B, C) is an involutory MDS matrix. Furthermore, the following statements hold. 1. When m = 4, circulant involutory MDS matrices constructed with the above method satisfy #A + #B + #C When m = 8, if #A 3 and #C 3, then circulant involutory MDS matrices constructed with the above method satisfy #A + #B + #C 9. Example 1. Examples of A, B, C such that Circ(I, A, B, C) are circulant involutory MDS matrices with #A + #B + #C = m + 1. (1) m = 4, A = [1, 2, [1, 3], [1, 2, 4]], C = [4, 3, 2, 1], B = (A+C) 4 = [2, [1, 2], [3, 4], 3]. (2) m = 8, A = [1, 2, [1, 3], [1, 2, 4], 6, 5, 8, 7], C = [5, 8, [2, 6], 7, 1, [3, 8], 4, 2], and B = (A + C) 16 = [[7, 8], 1, 7, [3, 8], [2, 4], [1, 4], 6, 5]. We further investigate the construction of 5 5 circulant involutory MDS matrices. In order to simplify our characterization, we investigate 5 5 circulant matrices of the type Circ(I, A, B, B, A), where A, B GL(m, F 2 ). Concerning the property of involutory of Circ(I, A, B, B, C), it is easy to prove the following result. Lemma 4. Let L = Circ(I, A, B, B, A) be a circulant matrix, where A, B GL(m, F 2 ). Then L is an involution if and only if A 2 = AB + BA = B 2. We give constructions by exhaustive searching for A, B with the following method. The method is often used hereafter in the paper, and we give a detailed general description here. The following result is helpful. It can be proved via elementary linear algebra and we omit the proof here. Lemma 5. Suppose A, B, C GL(m, F 2 ) are m m non-singular matrices over F 2. Then the following statements hold. ( ) I, A (1) is of full rank if and only if rank(ba + C) = m. ( B, C ) A, I (2) is of full rank if and only if rank(ca + B) = m. B, C

10 ( ) A, B (3) is of full rank if and only if rank(ac + B) = m. I, C ( ) A, B (4) is of full rank if and only if rank(bc + A) = m. C, I Let L = Circ(I, A, B, B, A). According to Theorem 1, if L is MDS, then all its square sub-matrices are of full rank. According to Lemma 5, we have the following fact by investigating all square sub-matrices of order 2. If L is MDS, then the following matrices are non-singular: A + I, A 2 + I, B + I, B 2 + I, A 2 + B, A + B 2, A + B. Note that A 2 + I is non-singular if and only if A + I is non-singular. Then the conditions can be simplified as the following matrices are non-singular: A + I, B + I, A + B 2, A 2 + B, A + B. Based on the above observations, we have the following searching strategy. First, note that both A and B should satisfy rank(x + I) = m, X = A, B. The equalities that both A and B satisfied are called general rules. Then we can select the candidate set of A and B from the set we want to search over by using general rules, which means S A,B := {X : X S search rank(x + I) = m}. The for A S A,B, we can get the candidate set of B by using the other conditions that should be satisfied, which means S B := {B : B S A,B rank(a + B) = m rank(a 2 + B) = m rank(a + B 2 ) = m A 2 = AB + BA A 2 = B 2 }. At last, for B S B, we test whether L is MDS by Theorem 1. When m = 4, we search A, B over GL(4, F 2 ). The fewest XORs of one row s entries of an involutory MDS Circ(I, A, B, B, A) is 4. There are 24 pairs of A, B such that Circ(I, A, B, B, A) are involutory circulant MDS matrices with #A + #B = 2. These 24 MDS matrices are of the type Circ(I, A, A T, A T, A) and Circ(I, A T, A, A, A T ) for 12 different A. When m = 8, we search A, B over GL(8, F 2 ) with #A + #B 3. No involutory MDS matrix returns. Therefore, if Circ(I, A, B, B, A) is an involutory MDS matrix, then #A + #B 4. Then we have the following result. Theorem 4. Their exist A, B GL(m, F 2 ), m = 4, 8, such that Circ(I, A, B, B, A) is an 5 5 involutory MDS matrix. Furthermore, if Circ(I, A, B, B, A) is an involutory MDS matrix, then #A + #B m 2. Similar as the method Subfield construction that used in [6,18,20], it is easy to construct involutory MDS Circ(I, A, B, B, A) over F 8 2 with #A + #B =

11 4, since we have constructed involutory MDS Circ(I, A, B, B, A) over F 4 2 with #A + #B = 2. Let X GL(4, F 2 ), #X = 1 and Circ(I, X, X T, X T, X) is an involutory MDS matrix. Then Circ(I, A, A T, A T, A) is also an involutory MDS matrix, where A GL(8, F 2 ) of the following form A = [ X, 0 0, X Then we can construct 24 circulant involutory MDS by using the above method and the searching result when m = 4. In order to get more circulant involutory MDS matrices, we searching A over GL(8, F 2 ) with #A = 2. We get A such that Circ(I, A, A T, A T, A) are involutory MDS matrices and #A + #A T = 4. Example 2. Examples of A, B such that Circ(I, A, B, B, A) are circulant involutory MDS matrices with #A + #B = m 2. (1) m = 4, A = [2, 3, 4, [1, 3]], B = A T [ = [4, 1, ] [2, 4], 3]. X, 0 (2) m = 8, X = [2, 3, 4, [1, 3]], A = = [2, 3, 4, [1, 3], 6, 7, 8, [5, 7]], B = 0, X A T = [4, 1, [2, 4], 3, 8, 5, [6, 8], 7]. (3) m = 8, A = [[3, 5], 8, 1, 3, 4, 2, 6, [2, 7]], B = A T = [3, [6, 8], [1, 4], 5, 1, 7, 8, 2]. It is interesting that 5 5 circulant involutory MDS matrices can be constructed with only 3 different entries. We have tried some other methods to construct circulant involutory MDS matrices with higher order. However, we do not get an circulant involutory MDS matrix with order large than or equal to 6 until present. We leave it as an open problem. Problem 1. Construct n n circulant involutory MDS matrices over GL(m, F 2 ) or prove that they do not exist, where n 6, m = 4, 8. ]. 3.2 Constructing circulant non-involutory MDS matrices In this subsection, we want to construct non-involutory MDS matrices with as few XORs as possible. We consider circulant matrices of the type Circ(I, I, A, B), since it has the most many entries with no XORs in one row. The searching strategy is similar as previous subsection. If Circ(I, I, A, B) is MDS, then the following matrices are non-singular: A + I, B + I, A + B, AB + I, A 2 + B, A + B 2. When m = 4, we search A, B over GL(4, F 2 ). The fewest XORs of one row s entries of an MDS Circ(I, I, A, B) is 3. Their are 48 pair of (A, B) such that Circ(I, I, A, B) are MDS matrices with #A + #B = 3. These 48 matrices are of the type Circ(I, I, A, A 2 ) and Circ(I, I, A 2, A) for 24 different A.

12 When m = 8, we search A, B over all 8 8 non-singular matrices over F 2 with 1 bit XOR. No MDS matrix returns. This means if Circ(I, I, A, B) is an MDS matrix over GL(8, F 2 ), then either A or B has at least 2 XORs, and hence #A + #B 3. Therefore, the following result hold. Theorem 5. Let L = Circ(I, I, A, B), where A, B GL(m, F 2 ), m = 4, 8. If L is an MDS matrix, then #A + #B 3. In order to get circulant MDS matrix with the above equality holds when m = 8, we let B = A 2 and search A over all 8 8 non-singular matrices over F 2 with 1 bit XOR. At last, we get A such that Circ(I, I, A, A 2 ) are MDS matrices with #A + #A 2 = 3. Furthermore, Circ(I, I, A 2, A) are also MDS matrices for all these A. Example 3. Examples of A, B such that Circ(I, I, A, B) and Circ(I, I, B, A) are MDS matrices with #A + #B = 3. (1) m = 4, A = [2, 3, 4, [1, 4]], B = A 2 = [[2, 3], [3, 4], 1, 2]. (2) m = 8, A = [2, 3, 4, 5, 6, 7, 8, [1, 3]], B = A 2 = [[1, 7], [2, 8], 1, 2, 3, 4, 5, 6]. 3.3 Constructing circulant orthogonal MDS matrices A square matrix L is called orthogonal if L 1 = L T, where L T is the transpose of L. It is proven in [13] there do not exist 2 d 2 d circulant orthogonal MDS matrix over finite fields. In this subsection, we show that 4 4 circulant orthogonal MDS matrices can also be constructed with non-commutative entries. Firstly, note that for L = Circ(I, A, B, C), where A, B, C F 2 m, it holds L T = Circ(I, C T, B T, A T ). This means one have to implement new entries A T, B T, C T in decryption circuit when L is orthogonal. In order to simplify implementation, we let A, B, C GL(m, F 2 ) are symmetric matrices, which means A = A T, B = B T, C = C T. Then it holds L T = Circ(I, C T, B T, A T ) = Circ(I, C, B, A), and it is easy to prove the following result. Lemma 6. Let L = Circ(I, A, B, C) be a circulant matrix, where A, B, C GL(m, F 2 ) are symmetric matrices. Then L is orthogonal if and only if the following equalities hold: A 2 + B 2 = C 2, AC = CA, A + C = BA + CB, A + C = AB + BC. If L = Circ(I, A, B, C) is MDS, then the following matrices are non-singular: B + I, B + A 2, B + C 2, AC + I, AB + C. When m = 4, we search symmetric A, B, C over GL(4, F 2 ). The fewest XORs of one row s entries of an orthogonal MDS Circ(I, A, B, C) is 8. Their are 24 triples of A, B, C such that Circ(I, A, B, C) are orthogonal MDS matrices with #A + #B + #C = 8. Then we have the following result.

13 Theorem 6. There exist symmetric A, B, C GL(4, F 2 ) such that Circ(I, A, B, C) is an orthogonal MDS matrix. Furthermore, if Circ(I, A, B, C) is an orthogonal MDS matrix, then #A + #B + #C 8. Example 4. Example of A, B, C such that Circ(I, A, B, C) is an orthogonal circulant MDS matrix #A + #B + #C = 2m. (1) m = 4, A = [1, [ 2, 4, [3, 4]], ] B = [[1, [ 4], [2,] 3, 4], [2, 3], [ [1, 2, 4]], ] C = [2, [1, 2], 3, 4]. A1, 0 B1, 0 C1, 0 (2) m = 8, A =, B =, C =, where A 0, A 1 0, B 1 0, C 1, B 1, C 1 1 are the A, B, C in the above item. 4 Lightweight Hadamard MDS matrices In this section, we investigate the construction of lightweight Hadamard involutory and non-involutory MDS matrices respectively. 4.1 Constructing Hadamard involutory MDS matrices In the case of a, b, c are elements of finite fields, Had(1, a, b, c) is an involution if and only if a 2 + b 2 = c 2. In the case of A, B, C GL(m, F 2 ), we have the following result. Lemma 7. Let A, B, C GL(m, F 2 ). Then L = Had(I, A, B, C) is an involution if and only if A, B, C are pairwise commutative and A 2 + B 2 = C 2. Proof. By matrix multiplication, it can be checked that L 2 = Had(I, A, B, C) Had(I, A, B, C) = Had(I + A 2 + B 2 + C 2, BC + CB, AC + CA, AB + BA). Therefore, L is an involution if and only if L 2 = Had(I, 0, 0, 0), which is equivalent to AB = BA, BC = CB, AC = CA, A 2 + B 2 = C 2 hold simultaneously. When m = 4, we search A, B, C over GL(4, F 2 ) as previous. The fewest XORs of one row s entries of an involutory MDS Had(I, A, B, C) is 6. There are 144 triples of A, B, C such that Had(I, A, B, C) are involutory MDS matrices with #A + #B + #C = 6. These 144 matrices are of the type Had(I, A 1, A 2, A 3 ), where (A 1, A 2, A 3 ) is a permutation of (A, A 1, A + A 1 ) for 24 different A. When m = 8, we also consider Hadamard matrix of the type L = Had(I, A, A 1, A + A 1 ), where A GL(m, F 2 ). According to the above lemma, L is an involution. We use the method in [19,22] to characterize whether L is MDS. By computing the

14 determinants of all the square sub-matrices of L and factorizing these polynomials, we get that L is an MDS matrix if and only if all the following matrices are non-singular: A, A + I, A 2 + A + I, A 3 + A + I, A 3 + A 2 + I. Then we search A over GL(8, F 2 ) with #A 3. The fewest XORs of one row s entries of an involutory MDS Had(I, A, A 1, A+A 1 ) is 10. We get A such that Had(I, A, A 1, A + A 1 ) are involutory MDS matrices with #A + #A 1 + #(A + A 1 ) = 10. We also have searched some other types of Hadamard matrices. However, we do not get a Hadamard involutory matrix with one row s XORs less then 10 until present. Theorem Let A, B, C GL(4, F 2 ). If L = Had(I, A, B, C) is an MDS involution matrix, then #A + #B + #C Let A GL(8, F 2 ) with #A 3. If L = Had(I, A, A 1, A+A 1 ) is an MDS involution matrix, then #A + #A 1 + #(A + A 1 ) 10. Example 5. Examples of A, B, C such that Had(I, A, B, C) are involutory MDS matrices with #A + #B + #C = m + 2. (1) m = 4, A = [2, [1, 3], 4, [2, 3]], B = A 1 = [[1, 2, 4], 1, [1, 4], 3], C = A+A 1 = [[1, 4], 3, 1, 2]. (2) m = 8, A = [2, 3, 4, 5, 6, 7, 8, [1, 3]], B = A 1 = [[2, 8], 1, 2, 3, 4, 5, 6, 7], C = A + A 1 = [8, [1, 3], [2, 4], [3, 5], [4, 6], [5, 7], [6, 8], [1, 3, 7]]. 4.2 Constructing non-involutory Hadamard MDS matrices In this subsection, we want to construct non-involutory Hadamard MDS matrix with as few XORs as possible. The searching strategy is similar as previous. If Had(I, A, B, C) is MDS, then the following matrices are non-singular: A + I, B + I, C + I, AB + C, AC + B, BA + C, BC + A, CB + A, CA + B. When m = 4, we search A, B, C over GL(4, F 2 ). The fewest XORs of one rows entries of an MDS Had(I, A, B, C) is 4. There are 72 triples of A, B, C such that Had(I, A, B, C) are MDS matrices with #A+#B +#C = 4. These 72 matrices are of the type Had(I, A 1, A 2, A 3 ), where (A 1, A 2, A 3 ) is a permutation of (A, A T, A + A T ) for 12 different A. When m = 8, we search A over GL(8, F 2 ) with #A 2. The fewest XORs of one rows entries of an MDS Had(I, A, A T, A + A T ) is 8. In order to get Hadamard MDS matrices with fewer XORs in one row, we investigate Hadamard matrices of the type Had(I, A, A T, B). According to our searching, if #A 1 and #B 2, then there are no MDS Had(I, A, A T, B). Then we have the following result. Theorem Let A, B, C GL(4, F 2 ). If L = Had(I, A, B, C) is an MDS matrix, then #A + #B + #C 4.

15 matrix type elements the first row XOR count Ref. Circulant GL(8, F 2) [I, I, A, B] = 27 Subsection 3.2 Circulant F 2 8/0x11b (0x02, 0x03, 0x01, 0x01) = 38 AES [8] Hadamard GL(8, F 2) [I, A, A T, B] = 29 Subsection 4.2 Hadamard F 2 8/0x1c3 (0x01, 0x02, 0x04, 0x91) = 37 [20] Subfield-Hadamard F 2 4/0x13 (0x1, 0x2, 0x8, 0x9) 2 ( ) = 34 [20] Table 1. Comparisons with previous constructions of non-involutory MDS matrices matrix type elements the first row XOR count Ref. Circulant GL(8, F2) [I, A, B, C] = 33 Subsection 3.1 Hadamard GL(8, F2) [I, A, A 1, A + A 1 ] = 34 Subsection 4.1 Subfield-Hadamard F 2 4/0x13 (0x1, 0x4, 0x9, 0xd) 2 ( ) = 36 [20] Hadamard F 2 8/0x165 (0x01, 0x02, 0xb0, 0xb2) = 40 [20] Hadamard F 2 8/0x11d (0x01, 0x02, 0x04, 0x06) = 46 [3] Compact Cauchy F 2 8/0x11b (0x01, 0x12, 0x04, 0x16) = 78 [7] Hadamard-Cauchy F 2 8/0x11b (0x01, 0x02, 0xfc, 0xfe) = 98 [11] Table 2. Comparisons with previous constructions of involutory MDS matrices 2. Let A, B GL(8, F 2 ). If L = Had(I, A, A T, B) is an MDS matrix, then #A + #A T + #B 5. In order to get MDS Had(I, A, A T, B) with #A+#A T +#B = 5, we choose A with #A = 2 and rank(a + I) = 8 randomly, and then test whether there exist B with #B = 1 such that Had(I, A, A T, B) is MDS. We repeat the process several times and get 622 pairs of A, B GL(8, F 2 ), such that Had(I, A, A T, B) is MDS and #A + #A T + #B = 5. Example 6. Examples of A, B, C such that Had(I, A, B, C) are MDS matrices with the bounds in the above theorem hold. (1) m = 4, A = [2, 3, 4, [1, 3]], B = A T = [4, 1, [2, 4], 3], C = A + A T = [[2, 4], [1, 3], 2, 1]. (2) m = 8, A = [2, 3, 4, [1, 5], 8, 7, 5, [3, 6]], B = A T = [4, 1, [2, 8], 3, [4, 7], 8, 6, 5], C = [[4, 7], 6, 5, 8, 7, 1, 2, 3]. We give comparisons of our constructions with previous constructions in Table 1, Table 2 and Table 3 respectively. The lower bounds on XORs of circulant and Hadamard MDS matrices given in Section 3 and Section 4 are under the supposition L[1, 1] = I. Therefore, it is possible to improve the previous lower bounds when L[1, 1] I. However, we have the following result with searching, which shows that the lower bounds can not be improved when m = 4.

16 matrix type elements the first row XOR count Ref. Circulant GL(4, F2) [I, I, A, B] = 15 Subsection 3.2 Involutory circulant GL(4, F2) [I, A, B, C] = 17 Subsection 3.1 Hadamard GL(4, F2) [I, A, B, C] = 16 Subsection 4.2 Hadamard F 2 4/0x13 (0x1, 0x2, 0x8, 0x9) = 17 [20] Involutory Hadamard GL(4, F2) [I, A, A 1, A + A 1 ] = 18 Subsection 4.1 Involutory Hadamard F 2 4/0x13 (0x1, 0x4, 0x9, 0xd) = 18 [20,14] Involutory Hadamard F 2 4/0x19 (0x1, 0x2, 0x6, 0x4) = 18 [17] Table 3. Comparisons of MDS matrices over F 4 2 and F 2 4 Theorem 9. Let A i GL(4, F 2 ), and A = #A i. Then the following statements hold. 4 i=1 1. If Circ(A 1, A 2, A 3, A 4 ) is a circulant MDS matrix, then A If Circ(A 1, A 2, A 3, A 4 ) is a circulant involutory MDS matrix, then A If Had(A 1, A 2, A 3, A 4 ) is a Hadamard MDS matrix, then A If Had(A 1, A 2, A 3, A 4 ) is a Hadamard involutory MDS matrix, then A 6. 5 Lightweight Optimal 4 4 MDS matrices It is proven in [16] that the highest possible number of 1 and the lowest possible number of different entries for a 4 4 MDS matrix over finite fields are 9 and 3 respectively. The matrix with the two properties hold simultaneously are called optimal in their presentation slides. The following matrix a b a 1 a 1 b 1 b a 1 is an example of optimal matrix which is given in [16]. Similarly as above, we investigate the following special matrix, A I I I L = I I B A I A I B, I B A I where A, B GL(m, F 2 ) are m m non-singular matrices over F 2. If L is MDS, then the following matrices are non-singular: A + I, B + I, A + B, A + B 2, A 2 + B, AB + I.

17 When m = 4, we search A, B over GL(4, F 2 ), which is the set of all 4 4 non-singular matrices over F 2. The fewest XORs of optimal MDS matrices is 13. There are 24 pairs of A, B GL(m, F 2 ) such that the corresponding constructions are MDS matrices with 4#A + 3#B = 13. All these pairs satisfy B = A 2. When m = 8, we search A, B over the set of all 8 8 non-singular matrices over F 2 with 1 bit XOR operation. No MDS matrix returns. This means if L is a optimal MDS matrix over GL(8, F 2 ), then either A or B has at least 2 XORs, and hence #L 10. Then we have the following result. Theorem 10. Let L be a matrix constructed as above, where A, B GL(m, F 2 ), m = 4, 8. If L is an MDS matrix, then { 13, m = 4; 4#A + 3#B 10, m = 8. In order to get optimal matrices over GL(8, F 2 ) with 10 XORs, we let B = A 2 and search A over all 8 8 non-singular matrices over F 2 with 1 bit XOR operation. We get A GL(8, F 2 ) such that the corresponding constructions are optimal MDS matrices with 10 XORs. It is interesting that optimal 4 4 MDS matrices over GL(8, F 2 ) has fewer XORs than optimal 4 4 MDS matrices over GL(4, F 2 ). Example 7. Examples of A, B such that L are optimal MDS matrices with the bounds in the above result hold. (1) Let A = [[2, 3], 4, 2, 1], B = A 2 = [2, [1, 3], [1, 3, 4], 3]. Then L constructed as above is an MDS matrix with 4#A + 3#B = 13. (2) Let A = [4, 5, 6, 8, 3, [4, 7], 1, 2], B = A 2 = [[1, 6], 4, 2, 7, 8, 5, [3, 7], 1]. Then L constructed as above is an MDS matrix with 4#A + 3#B = Conclusion In the present paper, we mainly investigate the construction of 4 4 lightweight MDS matrices with entries in the set of m m non-singular matrices over F 2. With this method, circulant, Hadamard and involutory Hadamard MDS matrices with fewer XORs than previous constructions are given. Moreover, circulant involutory MDS matrices are also constructed with our method. Constructing lightweight MDS matrices of large order with the method of the present paper is an interesting problem need further study. Acknowledgements The authors are very grateful to the anonymous reviewers for their valuable comments. This work was supported by the 973 project under Grant (2013CB834203), by the National Science Foundation of China (No , No ).

18 References 1. Augot, D., Finiasz, M.: Exhaustive search for small dimension recursive MDS diffusion layers for block ciphers and hash functions. In Information Theory Proceedings (ISIT), 2013 IEEE International Symposium on, pages IEEE, Augot, D., Finiasz, M.: Direct construction of recursive MDS diffusion layers using shortened BCH codes. In: Cid, C., Rechberger, C. (eds.) FSE LNCS 8540, pp. 3-17, Barreto, P., Rijmen, V.: The Anubis Block Cipher. Submission to the NESSIE Project, Berger, T.P.: Construction of Recursive MDS Diffusion Layers from Gabidulin Codes. In INDOCRYPT, LNCS 8250, pages Blaum, M., Roth, R.M.: On Lowest Density MDS Codes. IEEE Transactions on Information Theory 45(1), (1999) 6. Choy, J., Yap, H., Khoo, K., Guo, J., Peyrin, T., Poschmann, A., Tan, C.H.: SPN- Hash: Improving the Provable Resistance against Differential Collision Attacks. In: AFRICACRYPT. (2012) Cui, T., Jin, C.i, Kong, Z.: On compact cauchy matrices for substitution permutation networks. IEEE Transactions on Computers, 99(PrePrints):1, Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED Block Cipher. In: Preneel, B., Takagi, T. (eds.) CHES LNCS, vol. 6917, pp Springer, Heidelberg (2011) 10. Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO LNCS, vol. 6841, pp Springer,Heidelberg (2011) 11. Gupta, K. C., Ray, I. G.: On Constructions of Involutory MDS Matrices. In AFRICACRYPT, pages 43-60, Gupta, K. C., Ray, I. G.: On constructions of MDS matrices from companion matrices for lightweight cryptography. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES Workshops LNCS, vol. 8128, pp Springer, Heidelberg (2013) 13. Gupta, K. C., Ray, I. G.: Cryptographically significant MDS matrices based on circulant and circulant-like matrices for lightweight applications. Cryptogr. Commun. (2015) 7: Jean J., Nikolić I., Peyrin T.: Joltik v1.1, Submission to the CAESAR competition, syllab/joltik. 15. Jorge Nakahara Jr. and lcio Abraho. A new involutory mds matrix for the AES. I. J. Network Security, 9(2): , Junod, P., Vaudenay, S.: Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices. In: Handschuh, H., Hasan, M.A. (eds.) SAC LNCS, vol. 3357, pp Springer, Heidelberg (2004) 17. Kavun E. B., Lauridsen M. M., Leander G., Rechberger C., Schwabe P., Yalcn T.: Prøst v1.1, Submission to the CAESAR competition, Khoo, K., Peyrin, T., Poschmann, A., Yap, H.: FOAM: Searching for Hardware Optimal SPN Structures and Components with a Fair Comparison. In Cryptographic Hardware and Embedded Systems CHES 2014, volume 8731 of Lecture Notes in Computer Science, pages Springer Berlin Heidelberg, 2014.

19 19. Sajadieh, M., Dakhilalian, M., Mala, H., Sepehrdad, P.: Recursive Diffusion Layers for Block Ciphers and Hash Functions. In: Canteaut, A. (ed.) FSE LNCS, vol. 7549, pp Springer, Heidelberg (2012) 20. Sim, S.M., Khoo, K., Oggier, F., Peyrin, T.: Lightweight MDS Involution Matrices. In: Leander, G., Demirci, H. (eds.) FSE LNCS, Springer (2015) 21. Vaudenay, S.: On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER. In: 2nd International Workshop on Fast Software Encryption. Springer- Verlag, pp (1994) 22. Wu, S., Wang, M., Wu, W.: Recursive Diffusion Layers for (Lightweight) Block Ciphers and Hash Functions. In: L.R. Knudsen and H. Wu (Eds.): SAC 2012, LNCS 7707, pp , A More Examples of Circulant Involutory MDS matrices In this appendix, we give more examples of circulant involutory MDS matrices achieving the lower bounds in the paper. A.1 m = 4 The following triples are < A, B, C >, where B = (A+C) 4, such that Circ(I, A, B, C) are circulant involutory MDS matrices over (F 4 2) 4 and #A + #B + #C = 5. For all these triples, Circ(I, C, B, A) are also circulant involutory MDS matrices. 1. << 1, 2, < 1, 3 >, < 1, 2, 4 >>, < 2, < 1, 2 >, < 3, 4 >, 3 >, < 4, 3, 2, 1 >> 2. << 1, 2, < 2, 3 >, < 1, 2, 4 >>, << 1, 2 >, 1, < 3, 4 >, 3 >, < 3, 4, 1, 2 >> 3. << 1, 2, < 1, 2, 3 >, < 1, 4 >>, < 2, < 1, 2 >, 4, < 3, 4 >>, < 3, 4, 1, 2 >> 4. << 1, 2, < 1, 2, 3 >, < 2, 4 >>, << 1, 2 >, 1, 4, < 3, 4 >>, < 4, 3, 2, 1 >> 5. << 1, < 1, 2 >, 3, < 1, 3, 4 >>, < 3, < 2, 4 >, < 1, 3 >, 2 >, < 4, 3, 2, 1 >> 6. << 1, < 1, 2 >, < 1, 3, 4 >, 4 >, < 4, < 2, 3 >, 2, < 1, 4 >>, < 3, 4, 1, 2 >> 7. << 1, < 2, 3 >, 3, < 1, 3, 4 >>, << 1, 3 >, < 2, 4 >, 1, 2 >, < 2, 1, 4, 3 >> 8. << 1, < 1, 2, 3 >, 3, < 1, 4 >>, < 3, 4, < 1, 3 >, < 2, 4 >>, < 2, 1, 4, 3 >> 9. << 1, < 1, 2, 3 >, 3, < 3, 4 >>, << 1, 3 >, 4, 1, < 2, 4 >>, < 4, 3, 2, 1 >> 10. << 1, < 2, 4 >, < 1, 3, 4 >, 4 >, << 1, 4 >, < 2, 3 >, 2, 1 >, < 2, 1, 4, 3 >> 11. << 1, < 1, 2, 4 >, < 1, 3 >, 4 >, < 4, 3, < 2, 3 >, < 1, 4 >>, < 2, 1, 4, 3 >> 12. << 1, < 1, 2, 4 >, < 3, 4 >, 4 >, << 1, 4 >, 3, < 2, 3 >, 1 >, < 3, 4, 1, 2 >>

20 13. << 2, 1, 4, 3 >, << 1, 4 >, < 2, 3 >, 2, 1 >, << 1, 3 >, 2, 3, < 2, 3, 4 >>> 14. << 2, 1, 4, 3 >, < 4, 3, < 2, 3 >, < 1, 4 >>, << 1, 2, 3 >, 2, 3, < 2, 4 >>> 15. << 2, 1, 4, 3 >, << 1, 3 >, < 2, 4 >, 1, 2 >, << 1, 4 >, 2, < 2, 3, 4 >, 4 >> 16. << 2, 1, 4, 3 >, < 3, 4, < 1, 3 >, < 2, 4 >>, << 1, 2, 4 >, 2, < 2, 3 >, 4 >> 17. <<< 1, 2 >, 2, 3, < 2, 3, 4 >>, << 1, 4 >, 3, < 2, 3 >, 1 >, < 3, 4, 1, 2 >> 18. <<< 1, 2 >, 2, < 2, 3, 4 >, 4 >, << 1, 3 >, 4, 1, < 2, 4 >>, < 4, 3, 2, 1 >> 19. << 3, 4, 1, 2 >, < 4, < 2, 3 >, 2, < 1, 4 >>, << 1, 2, 3 >, 2, 3, < 3, 4 >>> 20. << 3, 4, 1, 2 >, << 1, 2 >, 1, < 3, 4 >, 3 >, << 1, 4 >, < 2, 3, 4 >, 3, 4 >> 21. << 3, 4, 1, 2 >, < 2, < 1, 2 >, 4, < 3, 4 >>, << 1, 3, 4 >, < 2, 3 >, 3, 4 >> 22. <<< 1, 3 >, < 2, 3, 4 >, 3, 4 >, << 1, 2 >, 1, 4, < 3, 4 >>, < 4, 3, 2, 1 >> 23. << 4, 3, 2, 1 >, < 3, < 2, 4 >, < 1, 3 >, 2 >, << 1, 2, 4 >, 2, < 3, 4 >, 4 >> 24. << 4, 3, 2, 1 >, < 2, < 1, 2 >, < 3, 4 >, 3 >, << 1, 3, 4 >, < 2, 4 >, 3, 4 >> A.2 m = 8 We list 128 triples of < A, B, C > in the following, where B = (A + C) 16, such that Circ(I, A, B, C) are circulant involutory MDS matrices over (F 8 2) 4 and #A+#B + #C = 9. For all these triples, Circ(I, C, B, A) are also circulant involutory MDS matrices. 1. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 6, 5, 8, 7 >, << 5, 6 >, 1, 6, < 3, 5 >, 8, 7, < 1, 4 >, < 2, 4 >>, < 8, 5, < 2, 7 >, 6, 2, 4, < 3, 5 >, 1 >> 2. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 6, 5, 8, 7 >, << 7, 8 >, 1, 7, < 3, 8 >, < 1, 4 >, < 2, 4 >, 5, 6 >, < 6, 8, < 2, 5 >, 7, < 3, 8 >, 1, 4, 2 >> 3. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 6, 5, 8, 7 >, << 7, 8 >, 1, 7, < 3, 8 >, < 2, 4 >, < 1, 4 >, 6, 5 >, < 5, 8, < 2, 6 >, 7, 1, < 3, 8 >, 4, 2 >> 4. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 6, 5, 8, 7 >, << 7, 8 >, 1, 8, < 3, 7 >, < 1, 4 >, < 2, 4 >, 6, 5 >, < 6, 7, < 2, 5 >, 8, < 3, 7 >, 1, 2, 4 >> 5. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 7, 8, 5, 6 >, << 5, 7 >, 1, 5, < 3, 7 >, 6, < 1, 4 >, 8, < 2, 4 >>, < 8, 7, < 2, 6 >, 5, 4, < 3, 7 >, 2, 1 >>

21 6. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 7, 8, 5, 6 >, << 6, 8 >, 1, 8, < 3, 6 >, < 2, 4 >, 5, < 1, 4 >, 7 >, < 5, 6, < 2, 7 >, 8, 1, 2, < 3, 6 >, 4 >> 7. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 8, 7, 6, 5 >, << 6, 7 >, 1, 6, < 3, 7 >, < 1, 4 >, 5, 8, < 2, 4 >>, < 8, 7, < 2, 5 >, 6, < 3, 7 >, 4, 2, 1 >> 8. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 8, 7, 6, 5 >, << 6, 7 >, 1, 6, < 3, 7 >, < 2, 4 >, 8, 5, < 1, 4 >>, < 5, 7, < 2, 8 >, 6, 1, 4, 2, < 3, 7 >>> 9. << 1, 2, < 1, 3 >, < 1, 2, 4 >, 8, 7, 6, 5 >, << 6, 7 >, 1, 7, < 3, 6 >, < 1, 4 >, 8, 5, < 2, 4 >>, < 8, 6, < 2, 5 >, 7, < 3, 6 >, 2, 4, 1 >> 10. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 4, 5 >, 1, 4, 7, 8, < 3, 5 >, < 1, 6 >, < 2, 6 >>, < 8, 5, < 2, 7 >, 6, 2, 4, < 3, 5 >, 1 >> 11. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 4, 5 >, 1, 4, 8, 7, < 3, 5 >, < 2, 6 >, < 1, 6 >>, < 7, 5, < 2, 8 >, 6, 2, 4, 1, < 3, 5 >>> 12. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 4, 5 >, 1, 5, 8, 7, < 3, 4 >, < 1, 6 >, < 2, 6 >>, < 8, 4, < 2, 7 >, 2, 6, 5, < 3, 4 >, 1 >> 13. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 7, 8 >, 1, 7, < 1, 6 >, < 2, 6 >, < 3, 8 >, 4, 5 >, < 5, 8, < 2, 4 >, < 3, 8 >, 1, 7, 6, 2 >> 14. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 7, 8 >, 1, 8, < 1, 6 >, < 2, 6 >, < 3, 7 >, 5, 4 >, < 5, 7, < 2, 4 >, < 3, 7 >, 1, 8, 2, 6 >> 15. << 1, 2, < 1, 3 >, 5, 4, < 1, 2, 6 >, 8, 7 >, << 7, 8 >, 1, 8, < 2, 6 >, < 1, 6 >, < 3, 7 >, 4, 5 >, < 4, 7, < 2, 5 >, 1, < 3, 7 >, 8, 2, 6 >> 16. << 1, 2, < 1, 3 >, 5, 4, 7, 6, < 1, 2, 8 >>, << 4, 5 >, 1, 4, 7, 6, < 2, 8 >, < 1, 8 >, < 3, 5 >>, < 6, 5, < 2, 7 >, 8, 2, 1, < 3, 5 >, 4 >> 17. << 1, 2, < 1, 3 >, 5, 4, 7, 6, < 1, 2, 8 >>, << 6, 7 >, 1, 7, < 1, 8 >, < 2, 8 >, 5, 4, < 3, 6 >>, < 5, 6, < 2, 4 >, < 3, 6 >, 1, 2, 8, 7 >> 18. << 1, 2, < 1, 3 >, 5, 4, 7, 6, < 1, 2, 8 >>, << 6, 7 >, 1, 7, < 2, 8 >, < 1, 8 >, 4, 5, < 3, 6 >>, < 4, 6, < 2, 5 >, 1, < 3, 6 >, 2, 8, 7 >> 19. << 1, 2, < 1, 3 >, 5, 4, 8, < 1, 2, 7 >, 6 >, << 4, 5 >, 1, 5, 8, 6, < 1, 7 >, < 3, 4 >, < 2, 7 >>, < 8, 4, < 2, 6 >, 2, 7, < 3, 4 >, 5, 1 >> 20. << 1, 2, < 1, 3 >, 5, 4, 8, < 1, 2, 7 >, 6 >, << 6, 8 >, 1, 8, < 1, 7 >, < 2, 7 >, 5, < 3, 6 >, 4 >, < 5, 6, < 2, 4 >, < 3, 6 >, 1, 2, 8, 7 >>

22 21. << 1, 2, < 1, 3 >, 6, < 1, 2, 5 >, 4, 8, 7 >, << 4, 6 >, 1, 4, 7, < 3, 6 >, 8, < 1, 5 >, < 2, 5 >>, < 8, 6, < 2, 7 >, 5, 4, 2, < 3, 6 >, 1 >> 22. << 1, 2, < 1, 3 >, 6, < 1, 2, 5 >, 4, 8, 7 >, << 4, 6 >, 1, 6, 7, < 3, 4 >, 8, < 2, 5 >, < 1, 5 >>, < 7, 4, < 2, 8 >, 2, 6, 5, 1, < 3, 4 >>> 23. << 1, 2, < 1, 3 >, 6, < 1, 2, 5 >, 4, 8, 7 >, << 7, 8 >, 1, 7, < 2, 5 >, < 3, 8 >, < 1, 5 >, 6, 4 >, < 4, 8, < 2, 6 >, 1, 7, < 3, 8 >, 5, 2 >> 24. << 1, 2, < 1, 3 >, 6, < 1, 2, 5 >, 4, 8, 7 >, << 7, 8 >, 1, 8, < 2, 5 >, < 3, 7 >, < 1, 5 >, 4, 6 >, < 4, 7, < 2, 6 >, 1, 8, < 3, 7 >, 2, 5 >> 25. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 4, 6 >, 1, 4, 5, < 1, 8 >, 7, < 2, 8 >, < 3, 6 >>, < 7, 6, < 2, 5 >, 8, < 3, 6 >, 2, 1, 4 >> 26. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 4, 6 >, 1, 6, 5, < 2, 8 >, 7, < 1, 8 >, < 3, 4 >>, < 5, 4, < 2, 7 >, 2, 1, 8, < 3, 4 >, 6 >> 27. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 4, 6 >, 1, 6, 7, < 1, 8 >, 5, < 2, 8 >, < 3, 4 >>, < 7, 4, < 2, 5 >, 2, < 3, 4 >, 8, 1, 6 >> 28. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 5, 7 >, 1, 5, < 1, 8 >, 4, < 2, 8 >, 6, < 3, 7 >>, < 6, 7, < 2, 4 >, < 3, 7 >, 8, 1, 2, 5 >> 29. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 5, 7 >, 1, 7, < 1, 8 >, 6, < 2, 8 >, 4, < 3, 5 >>, < 6, 5, < 2, 4 >, < 3, 5 >, 2, 1, 8, 7 >> 30. << 1, 2, < 1, 3 >, 6, 7, 4, 5, < 1, 2, 8 >>, << 5, 7 >, 1, 7, < 2, 8 >, 4, < 1, 8 >, 6, < 3, 5 >>, < 4, 5, < 2, 6 >, 1, 2, < 3, 5 >, 8, 7 >> 31. << 1, 2, < 1, 3 >, 6, 8, 4, < 1, 2, 7 >, 5 >, << 4, 6 >, 1, 4, 8, < 2, 7 >, 5, < 3, 6 >, < 1, 7 >>, < 5, 6, < 2, 8 >, 7, 1, 2, 4, < 3, 6 >>> 32. << 1, 2, < 1, 3 >, 6, 8, 4, < 1, 2, 7 >, 5 >, << 4, 6 >, 1, 6, 8, < 1, 7 >, 5, < 3, 4 >, < 2, 7 >>, < 8, 4, < 2, 5 >, 2, < 3, 4 >, 7, 6, 1 >> 33. << 1, 2, < 1, 3 >, 6, 8, 4, < 1, 2, 7 >, 5 >, << 5, 8 >, 1, 5, < 2, 7 >, 6, < 1, 7 >, < 3, 8 >, 4 >, < 4, 8, < 2, 6 >, 1, 7, < 3, 8 >, 5, 2 >> 34. << 1, 2, < 1, 3 >, 6, 8, 4, < 1, 2, 7 >, 5 >, << 5, 8 >, 1, 8, < 1, 7 >, 6, < 2, 7 >, < 3, 5 >, 4 >, < 6, 5, < 2, 4 >, < 3, 5 >, 2, 1, 8, 7 >> 35. << 1, 2, < 1, 3 >, 7, < 1, 2, 5 >, 8, 4, 6 >, << 4, 7 >, 1, 4, 6, < 3, 7 >, < 1, 5 >, 8, < 2, 5 >>, < 8, 7, < 2, 6 >, 5, 4, < 3, 7 >, 2, 1 >>

23 36. << 1, 2, < 1, 3 >, 7, < 1, 2, 5 >, 8, 4, 6 >, << 4, 7 >, 1, 4, 8, < 3, 7 >, < 2, 5 >, 6, < 1, 5 >>, < 6, 7, < 2, 8 >, 5, 4, 1, 2, < 3, 7 >>> 37. << 1, 2, < 1, 3 >, 7, < 1, 2, 5 >, 8, 4, 6 >, << 6, 8 >, 1, 6, < 1, 5 >, < 3, 8 >, 4, < 2, 5 >, 7 >, < 7, 8, < 2, 4 >, < 3, 8 >, 6, 5, 1, 2 >> 38. << 1, 2, < 1, 3 >, 7, < 1, 2, 5 >, 8, 4, 6 >, << 6, 8 >, 1, 6, < 2, 5 >, < 3, 8 >, 7, < 1, 5 >, 4 >, < 4, 8, < 2, 7 >, 1, 6, 5, < 3, 8 >, 2 >> 39. << 1, 2, < 1, 3 >, 7, < 1, 2, 5 >, 8, 4, 6 >, << 6, 8 >, 1, 8, < 1, 5 >, < 3, 6 >, 7, < 2, 5 >, 4 >, < 7, 6, < 2, 4 >, < 3, 6 >, 8, 2, 1, 5 >> 40. << 1, 2, < 1, 3 >, 7, 6, 5, 4, < 1, 2, 8 >>, << 5, 6 >, 1, 6, < 1, 8 >, 7, 4, < 2, 8 >, < 3, 5 >>, < 7, 5, < 2, 4 >, < 3, 5 >, 2, 8, 1, 6 >> 41. << 1, 2, < 1, 3 >, 7, 6, 5, 4, < 1, 2, 8 >>, << 5, 6 >, 1, 6, < 2, 8 >, 4, 7, < 1, 8 >, < 3, 5 >>, < 4, 5, < 2, 7 >, 1, 2, 8, < 3, 5 >, 6 >> 42. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 4, 7 >, 1, 4, 5, < 1, 6 >, < 3, 7 >, 8, < 2, 6 >>, < 8, 7, < 2, 5 >, 6, < 3, 7 >, 4, 2, 1 >> 43. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 4, 7 >, 1, 4, 8, < 2, 6 >, < 3, 7 >, 5, < 1, 6 >>, < 5, 7, < 2, 8 >, 6, 1, 4, 2, < 3, 7 >>> 44. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 4, 7 >, 1, 7, 5, < 2, 6 >, < 3, 4 >, 8, < 1, 6 >>, < 5, 4, < 2, 8 >, 2, 1, 7, 6, < 3, 4 >>> 45. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 4, 7 >, 1, 7, 8, < 1, 6 >, < 3, 4 >, 5, < 2, 6 >>, < 8, 4, < 2, 5 >, 2, < 3, 4 >, 7, 6, 1 >> 46. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 5, 8 >, 1, 5, < 1, 6 >, 4, < 3, 8 >, < 2, 6 >, 7 >, < 7, 8, < 2, 4 >, < 3, 8 >, 6, 5, 1, 2 >> 47. << 1, 2, < 1, 3 >, 7, 8, < 1, 2, 6 >, 4, 5 >, << 5, 8 >, 1, 8, < 1, 6 >, 7, < 3, 5 >, < 2, 6 >, 4 >, < 7, 5, < 2, 4 >, < 3, 5 >, 2, 8, 1, 6 >> 48. << 1, 2, < 1, 3 >, 8, < 1, 2, 5 >, 7, 6, 4 >, << 6, 7 >, 1, 6, < 1, 5 >, < 3, 7 >, 4, 8, < 2, 5 >>, < 8, 7, < 2, 4 >, < 3, 7 >, 6, 5, 2, 1 >> 49. << 1, 2, < 1, 3 >, 8, < 1, 2, 5 >, 7, 6, 4 >, << 6, 7 >, 1, 7, < 2, 5 >, < 3, 6 >, 4, 8, < 1, 5 >>, < 4, 6, < 2, 8 >, 1, 7, 2, 5, < 3, 6 >>> 50. << 1, 2, < 1, 3 >, 8, < 1, 2, 5 >, 7, 6, 4 >, << 4, 8 >, 1, 4, 6, < 3, 8 >, < 1, 5 >, < 2, 5 >, 7 >, < 7, 8, < 2, 6 >, 5, 4, < 3, 8 >, 1, 2 >>